COMMAND
BlackICE
SYSTEMS AFFECTED
BlackICE Defender 1.2
PROBLEM
Mike DeMaria found following against BlackICE Defender 2.1 (by
Network ICE Corp.) and older versions configured at security level
NERVOUS or lower. Also vulnerable is BlackICE Pro Agent 2.0.23
(by Network ICE Corp.) and older versions configured at security
level NERVOUS or lower.
At security level NERVOUS or lower, BlackICE and the host
protected by BlackICE are vulnerable to Back Orifice (BO) 1.2.
Recall that BO 1.2 uses UDP as a client-server transport protocol,
and the BO server uses a high UDP port, by default, to run its
service. BlackICE configured at NERVOUS security level or below
does not block the high UDP ports.
If a BO 1.2 server infects a host and that BO server runs at a
high UDP port (1024 or higher), then BlackICE set to security
level NERVOUS or below will not be able to fully protect a host
from BO client-transmitted commands because at least one BO
command will get through before the automated BlackICE protection
engine kicks in. As such, the BO infected and BlackICE-protected
host is vulnerable to almost any commands a BO 1.2 client can
issue.
Pre 2.1 versions of BlackICE (where auto-IP address blocking is
available, but auto-port blocking is not available) are
vulnerable to being shutdown by a BO server controlled by a
remote BO client if the cracker has access to two different IP
addresses.
To reproduce this vulnerability you need BlackICE on a Windows
95/98/NT/2000 system infected it with a BO 1.2 server. The
BlackICE security level must be set to Nervous or lower.
From another machine, run the BO 1.2 client and issue one of the
many commands available to it against the host running BlackICE.
You will notice that after a few seconds, the BO 1.2 client has
been IP address-blocked by BlackICE (on BlackICE Defender 2.1 or
newer, an auto-port block also kicks in), but the BO command is
executed on the target system and a response transmitted back to
the client. Note that BlackICE will detect the Back Orifice
response; this is what triggers the auto blocking countermeasures.
If you are running pre-2.1 BlackICE, then you have the ability to
shutdown the BlackICE engine. You can do this by issuing a BO
command that will return a process list from the infected host.
Although the first BO client host will be IP address-blocked by
BlackICE, another BO client on a different IP address can use the
returned information collected from the first BO client to
determine the process ID of blackd.exe (the BlackICE protection
and detection engine) and send a kill process command to the BO
server running on the target host.
BlackICE has four main security levels. Trusting, Caution,
Nervous, Paranoid. At paranoid level, all incoming TCP and UDP
are blocked. The vulnerability I found does not happen when you
set the security to paranoid. However, this may interfere with
some internet programs, so many users may want to set it to
Nervous or lower. BlackICE defender and agent are suppose to do
real time intrusion detection. To it's credit, BlackICE did
detect a Back Orifice 1.20 attack. However, it catches it after
the fact, allowing a few response packets to be transmitted.
Using BlackICE 2.0.23, Mike was able to issue one BO command,
"proclist". This gave him the list of processes running. He
looked for the blackd.exe process ID. By this point in time,
BlackICE shuns your IP address. So changing IP and issuing a
prockill command on the blackd.exe PID, will kill the firewall
completely and take over the machine. Mike also noticed that,
when he tried on a different machine, he was able to issue the
"dir" command about 4 times before it shunned his IP address. It
should be fairly simple to create a simple script to do a
proclist, grep for blackd.exe, and kill the PID all within a
second or two.
BlackICE defender 2.1 automatically shuns not only the IP, but the
port when it detects a BO attack. However, once again, this is
only after the fact. One could issue between 1 to 5 BO commands
by hand before BlackICE detects it. You could perform the same
vulnerability as done above by either 1) running two back orifice
servers on the victim, or 2) type fast enough, perferrably with a
script. Mike used the two server method, and was able to kill
the firewall completely. Either way, if you wish to annoy, you
can always type the lockup or reboot BO command.
The issue here is not the quantity of BO commands, but speed.
BlackICE will detect a BO attack if you send it just one command.
The problem is, there is a few second delay, which opens up this
hole. Please note that this problem does not exist with BO2K
(which tries to make a connection to the host machine first
before allowing commands to be executed).
SOLUTION
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions
configured at security level PARANOID and BlackICE Pro Agent
2.0.23 (by Network ICE Corp.) and older versions configured at
security level PARANOID.
If you don't have anti-virus software on your machine, and
BlackICE detects a Back Orifice response, then your machine is
infected by BO. Immediately set your protection level to
PARANOID. This will break any communication between the BO client
and server. Better yet, simply set the BlackICE security level
to PARANOID before BlackICE detects such an event. The BO client
will never be able to go through the BlackICE firewall. This
solution will work regardless of the version of BlackICE you are
using.
If you are running on Windows NT or 2000, your system will not
likely be infected by BO if you use a non-admin account to do your
day to day work on the system. This means that you will not
expose BlackICE to the vulnerability presented by BO 1.2. If you
are running on Win 95 or 98, and for some reason you prefer not
to set your security level to PARANOID, then use anti-virus as a
measure to prevent your system and BlackICE from being exposed to
this vulnerability.